Siri And Alexa Can Be Hacked… And No One Would Notice

Chinese researchers have discovered the one blind spot most smart assistants today are suffering from. Siri and Alexa (as well as Google Now and Cortana) are exposed to hackers everywhere due to one vulnerability manufacturers ignored #securemagic

A team from Zhejiang University discovered that millions of devices everywhere can be hacked at any moment. The only thing needed to hack a phone or a home speaker is an extra speaker and amp. See, researchers discovered that smart assistants can hear what humans don’t. They are susceptible to ultrasonic frequencies that are above the 20KhZ limit of human ears. Since they’re always-on, they can hear commands their owners don’t.

The team verified this theory by using a smartphone and a tiny speaker and amp worth no more than 3$. Then, they watched as the assistants complied with different commands. Siri called a random phone number from an iPhone and activated FaceTime on iPad. A Nexus 7 opened a malicious website while an Amazon Echo was happy to “open the backdoor.”

This “Dolphin Attack” is usually possible from close distance; this means the hacker would need to be in the house if the device in question was a home speaker (which is less likely to happen). But in the case of a phone, the intruder could be standing right next to you at the traffic lights.

So, is there a way to defend yourself against it? The only thing you can do is turn off the always-on setting that’s default with most smart assistants on phones and tablets. On some speakers, like Amazon Alexa or Google Home, you have a mute button to help with that.

Still, this doesn’t solve the problem on long term. Fact is the microphones are “born” with these “super hearing” powers, so modifying them is almost impossible. Companies might have more success by tweaking the software and forcing digital assistants to ignore commands given at above 20KhZ. Unfortunately, some manufacturers are using ultrasonic pairing to connect their devices and might not be willing to give up that functionality yet.